+1 Recommend
1 collections
      • Record: found
      • Abstract: found
      • Article: found
      Is Open Access

      Security and privacy requirements for a multi-institutional cancer research data grid: an interview-based study


      Read this article at

          There is no author summary for this article yet. Authors can add summaries to their articles on ScienceOpen to make them more accessible to a non-specialist audience.



          Data protection is important for all information systems that deal with human-subjects data. Grid-based systems – such as the cancer Biomedical Informatics Grid (caBIG) – seek to develop new mechanisms to facilitate real-time federation of cancer-relevant data sources, including sources protected under a variety of regulatory laws, such as HIPAA and 21CFR11. These systems embody new models for data sharing, and hence pose new challenges to the regulatory community, and to those who would develop or adopt them. These challenges must be understood by both systems developers and system adopters. In this paper, we describe our work collecting policy statements, expectations, and requirements from regulatory decision makers at academic cancer centers in the United States. We use these statements to examine fundamental assumptions regarding data sharing using data federations and grid computing.


          An interview-based study of key stakeholders from a sample of US cancer centers. Interviews were structured, and used an instrument that was developed for the purpose of this study. The instrument included a set of problem scenarios – difficult policy situations that were derived during a full-day discussion of potentially problematic issues by a set of project participants with diverse expertise. Each problem scenario included a set of open-ended questions that were designed to elucidate stakeholder opinions and concerns. Interviews were transcribed verbatim and used for both qualitative and quantitative analysis. For quantitative analysis, data was aggregated at the individual or institutional unit of analysis, depending on the specific interview question.


          Thirty-one (31) individuals at six cancer centers were contacted to participate. Twenty-four out of thirty-one (24/31) individuals responded to our request- yielding a total response rate of 77%. Respondents included IRB directors and policy-makers, privacy and security officers, directors of offices of research, information security officers and university legal counsel. Nineteen total interviews were conducted over a period of 16 weeks. Respondents provided answers for all four scenarios (a total of 87 questions). Results were grouped by broad themes, including among others: governance, legal and financial issues, partnership agreements, de-identification, institutional technical infrastructure for security and privacy protection, training, risk management, auditing, IRB issues, and patient/subject consent.


          The findings suggest that with additional work, large scale federated sharing of data within a regulated environment is possible. A key challenge is developing suitable models for authentication and authorization practices within a federated environment. Authentication – the recognition and validation of a person's identity – is in fact a global property of such systems, while authorization – the permission to access data or resources – mimics data sharing agreements in being best served at a local level. Nine specific recommendations result from the work and are discussed in detail. These include: (1) the necessity to construct separate legal or corporate entities for governance of federated sharing initiatives on this scale; (2) consensus on the treatment of foreign and commercial partnerships; (3) the development of risk models and risk management processes; (4) development of technical infrastructure to support the credentialing process associated with research including human subjects; (5) exploring the feasibility of developing large-scale, federated honest broker approaches; (6) the development of suitable, federated identity provisioning processes to support federated authentication and authorization; (7) community development of requisite HIPAA and research ethics training modules by federation members; (8) the recognition of the need for central auditing requirements and authority, and; (9) use of two-protocol data exchange models where possible in the federation.

          Related collections

          Most cited references4

          • Record: found
          • Abstract: found
          • Article: not found

          Towards a Data Sharing Culture: Recommendations for Leadership from Academic Health Centers

          Rebecca Crowley and colleagues propose that academic health centers can and should lead the transition towards a culture of biomedical data sharing.
            • Record: found
            • Abstract: found
            • Article: not found

            caGrid 1.0: an enterprise Grid infrastructure for biomedical research.

            To develop software infrastructure that will provide support for discovery, characterization, integrated access, and management of diverse and disparate collections of information sources, analysis methods, and applications in biomedical research. An enterprise Grid software infrastructure, called caGrid version 1.0 (caGrid 1.0), has been developed as the core Grid architecture of the NCI-sponsored cancer Biomedical Informatics Grid (caBIG) program. It is designed to support a wide range of use cases in basic, translational, and clinical research, including 1) discovery, 2) integrated and large-scale data analysis, and 3) coordinated study. The caGrid is built as a Grid software infrastructure and leverages Grid computing technologies and the Web Services Resource Framework standards. It provides a set of core services, toolkits for the development and deployment of new community provided services, and application programming interfaces for building client applications. The caGrid 1.0 was released to the caBIG community in December 2006. It is built on open source components and caGrid source code is publicly and freely available under a liberal open source license. The core software, associated tools, and documentation can be downloaded from the following URL: https://cabig.nci.nih.gov/workspaces/Architecture/caGrid. While caGrid 1.0 is designed to address use cases in cancer research, the requirements associated with discovery, analysis and integration of large scale data, and coordinated studies are common in other biomedical fields. In this respect, caGrid 1.0 is the realization of a framework that can benefit the entire biomedical community.
              • Record: found
              • Abstract: found
              • Article: not found

              A multidisciplinary approach to honest broker services for tissue banks and clinical data: a pragmatic and practical model.

              Honest broker services are essential for tissue- and data-based research. The honest broker provides a firewall between clinical and research activities. Clinical information is stripped of Health Insurance Portability and Accountability Act-denoted personal health identifiers. Research material may have linkage codes, precluding the identification of patients to researchers. The honest broker provides data derived from clinical and research sources. These data are for research use only, and there are rules in place that prohibit reidentification. Very rarely, the institutional review board (IRB) may allow recontact and develop a recontact plan with the honest broker. Certain databases are structured to serve a clinical and research function and incorporate 'real-time' updating of information. This complex process needs resolution of a variety of issues regarding the precise role of the HB and their interaction with data. There also is an obvious need for software solutions to make the task of deidentification easier. The University of Pittsburgh has implemented a novel, IRB-approved mechanism to address honest broker functions to meet the specimen and data needs of researchers. The Tissue Bank stores biologic specimens. The Cancer Registry culls data and annotating information as part of state- and federal-mandated functions and collects data on the clinical progression, treatment, and outcomes of cancer patients. The Cancer Registry also has additional IRB approval to collect data elements only for research purposes. The Clinical Outcomes Group is involved in patient safety and health services research. Radiation Oncology and Medical Oncology provide critical treatment related information. Pathology and Oncology Informatics have designed software tools for querying availability of specimens, extracting data, and deidentifying specimens and annotating data for clinical and translational research. These entities partnered and submitted a joint IRB proposal to create an institutional honest broker facility. The employees of this conglomerate have honest broker agreements with the University of Pittsburgh and the Medical Center. This provides a large group of honest brokers, ensuring availability for projects without any conflict of interest. The honest broker system has been an IRB-approved institutional entity at the University of Pittsburgh since 2003. The honest broker system currently includes 33 certified honest brokers encompassing the multiple partners of this system. The honest broker system has handled >1600 requests over the past 4 years with a 25% increase in volume each year. The current results indicate that the collaborative honest broker model described herein is robust and provides a highly functional solution to the specimen and data needs for critical clinical and translational research activities.

                Author and article information

                BMC Med Inform Decis Mak
                BMC Medical Informatics and Decision Making
                BioMed Central
                15 June 2009
                : 9
                : 31
                [1 ]Information Science and Technology, Fox Chase Cancer Center, Philadelphia PA, USA
                [2 ]Information Technology, Fred Hutchinson Cancer Research Center, Seattle WA, USA
                [3 ]Academic Technology, University of Texas Health Science Center at Houston, USA
                [4 ]Biomedical Informatics, University of Pittsburgh School of Medicine, Pittsburgh PA, USA
                Copyright ©2009 Manion et al; licensee BioMed Central Ltd.

                This is an Open Access article distributed under the terms of the Creative Commons Attribution License ( http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

                : 23 October 2008
                : 15 June 2009
                Research Article

                Bioinformatics & Computational biology
                Bioinformatics & Computational biology


                Comment on this article